ISPConfig & AjaXplorer

I have been working on the AjaXplorer bridge and have made a lot of progress, however it is not finished yet. I'll post what I have here and also on the AjaXplorer forum and hope that someone with a similar setup finds it useful and might even contribute to the solution. Thanks to apoana on howtoforge for laying the groundwork.

My ISPConfig setup is multi server. AjaXplorer is installed on, and it's database tables must be created in the master ISPConfig database. There are no modifications required on the slave servers.

You will login to AjaXplorer with your ISPConfig username/password.
The process is to find the groups in sys_user where this user has access. For each group that has an ssh user defined, a Repository is created. This happens automatically at each login, but we skip the Repositories which are already created (but first checking for changes to the hostname, domainname, username and pass).

In order to make the connection from the master server to the slave, AjaXplorer needs to know the password, so changes have been made in ISPConfig to save the users' shell pass in cleartext. Obviously a security issue - maybe someone can figure out a better way? Using the SSH account gives us the possibility to connect via the secure and fast SFTP plugin. I did have other problems with this though, see below...

TODO:
1. delete repositories which don't exist (as defined in ISPConfig)
2. find a better way to authenticate the repositories, so that we don't save passwords in cleartext
3. Passthrough authentication from ISPConfig
4. **Fix the issues with SFTP or choose a different data access mechanism
- image thumbnails not working
- downloads slow to initialize
- zip folders not working
- apparent folder access error when using jailkit on the slave

Yes, there have been many improvements - AjaxPlorer is very interesting, but I must admit the ISPC3 plugin is not ready for beta testing or even use. Please do improve!

Scenario:
1. My ISPConfig setup is multiserver
2. AJXP is running on the same server as the control panel
3. The control panel does not host any customer sites, so all AJXP connections are proxied through the CP.
4. File access method is SFTP / FTP over SSH
5. On login to AJXP, repositories are created for each ISPC3 shell account a user has access to (by group IIRC)

There are two real problems:
1. AjaxPlorer can't show / set the permissions correctly.
- The real issue is AJXP tries to cache all file attributes when it reads a directory. File operations are first compared to the cached ownership & permissions. The devs made a quick fix to allow writing to directories by adding 022 to the cached permission, allowing the target server to actually decide if the operation would complete - which essentially works, but also screws up the permissions dialog
2. The ISPC3 plugin needs to be cleaned up and sorted out.
- OnLogin: Check which accounts should be accessible; correctly create the repository; delete any repositories which don't exists anymore (or don't have permission for?); Perhaps Autologin?

And at least one other ugly issue:
1. AJXP needs to know the SSH usernames and passwords, so I modified ISPC3 code to also save a cleartext copy of the Shell password.

Other observations:
1. Jailkit seems to work just fine
2. Image / Movie previews don't work well. It is optional for me, so I have not looked into this any further. The issue is the time it takes to download all images to the proxy and create thumbnails is not fun. Disabling this made things pretty snappy.

So to get started:
1. Get the latest AjaxPlorer and configure: http://www.ajaxplorer.info/wordpress/download/
2. Apply this plugin to the AJXP files (careful about server/conf.php)
3. Install the MySQL tables. Check the code first that it does what you expect, use a test instance of ISPC3. There is SQL code in plugins/auth.ispconfig/ceate.sql
4. Apply the ISPC3 changes ( again, in your test server )
5. Create Shell users in ISPC3
6. Login to AJXP, try it out

Attached Files:

Do you let Ajaxplorer use the creditential of the session to use the SFTP plugin ? Instead of copy in plain text the password. (Not quite sure)

Also, I'm worried about the permission issue, especially by activating Jailkit.
You confirm that if Jailkit is activated for a user, Ajaxplorer can still access its folder and modify stuff ? (As it is not the same user running the Shell and the Ajaxplorer, I guess there is a problem there with the permission, no ?)

Jailkit only forces a particular user to remain within a specified directory.

Each of the AJXP repositories created uses the shell account respective to the current user- so there can't really be any permissions error. In my case the user logged in must have write access.

The shell authentication happens in the background, as does the creation of repositories. The user doesn't even have to know that the account exists (if it is permissible to hide it from them in ISPC3). Actually I might block SSH from the hardware firewall and allow it only from the AJXP server.

You can see that the session credential isn't enough for access to all the user's repositories across multiple servers.